| <!DOCTYPE html> |
| <meta charset=utf-8> |
| <title>CORS - 304 Responses</title> |
| <meta name=author title="Mark Nottingham" href="mailto:mnot@mnot.net"> |
| |
| <script src=/resources/testharness.js></script> |
| <script src=/resources/testharnessreport.js></script> |
| <script src=support.js?pipe=sub></script> |
| |
| <h1>CORS - 304 Responses</h1> |
| <div id=log></div> |
| <script> |
| |
| |
| /* |
| * 304 Responses |
| */ |
| |
| // A header used to correlate requests and responses |
| var state_header = "content-language" |
| |
| /* Make a request; call ready(client) when done */ |
| function req(url, id, t, ready) { |
| var client = new XMLHttpRequest() |
| client.open('GET', url, true) |
| client.setRequestHeader(state_header, id) |
| client.send() |
| client.onreadystatechange = function() { |
| if (client.readyState == client.DONE) { |
| t.step(function() { |
| assert_true(client.status != 299, "req " + id + " server says: " + client.responseText) |
| }) |
| ready(client) |
| } |
| } |
| return client |
| } |
| |
| /* |
| * Make two requests to test cache behaviour. |
| * The second is made after the first is done and a delay, to make sure it gets into cache. |
| */ |
| function two_reqs(id1, id2, should_have_same_body, t, done) { |
| var rand = Date.now() |
| var url = CROSSDOMAIN + 'resources/304.py?id=' + id1 + '&r=%s' + rand |
| |
| var client1 = req(url, id1, t, function(client1) { |
| t.step(function() { |
| assert_equals(client1.response, "Success", "didn't get successful 1st response;") |
| assert_equals(client1.getResponseHeader(state_header), id1, "1st response didn't come from server;") |
| }) |
| |
| t.step_timeout(function() { |
| req(url, id2, t, function(client2) { |
| t.step(function() { |
| if (should_have_same_body) { |
| assert_equals(client1.response, client2.response, "response bodies were different;") |
| // var res_id2 = client2.getResponseHeader(state_header) |
| // assert_not_equals(res_id2, id1, "2nd response doesn't appear to have updated cached headers;") |
| // assert_not_equals(res_id2, null, "2nd response didn't expose request identifier;") |
| // assert_equals(res_id2, id2, "2nd response is associated with a different request (!);") |
| } |
| done(client1, client2) |
| }) |
| t.done() |
| }) |
| }, 5000) |
| }) |
| } |
| |
| async_test(function(t) { |
| two_reqs('1', '2', true, t, function(client1, client2) { |
| assert_equals(client1.getResponseHeader("A"), null, "'A' header exposed without permission;") |
| }) |
| }, "A 304 response with no CORS headers inherits from the stored response") |
| |
| async_test(function(t) { |
| two_reqs('3', '4', true, t, function(client1, client2) { |
| assert_equals(client2.getResponseHeader("A"), "4", "304 didn't expose 'A' header, even though allowed;") |
| assert_equals(client2.getResponseHeader("B"), "4", "304 didn't expose 'B' header even though allowed;") |
| }) |
| }, "A 304 can expand Access-Control-Expose-Headers") |
| |
| async_test(function(t) { |
| two_reqs('5', '6', true, t, function(client1, client2) { |
| assert_equals(client2.getResponseHeader("B"), null, "2nd 304 exposed 'B' header;") |
| }) |
| }, "A 304 can contract Access-Control-Expose-Headers") |
| |
| async_test(function(t) { |
| two_reqs('7', '8', false, t, function(client1, client2) { |
| assert_not_equals(client1.response, client2.response, "Access granted even though 304 updated it to disallow;") |
| }) |
| }, "A 304 can change Access-Control-Allow-Origin") |
| |
| |
| </script> |